Vulnerabilities > Redmine > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-11-05 | CVE-2023-47258 | Cross-site Scripting vulnerability in Redmine Redmine before 4.2.11 and 5.0.x before 5.0.6 allows XSS in a Markdown formatter. | 6.1 |
| 2023-11-05 | CVE-2023-47259 | Cross-site Scripting vulnerability in Redmine Redmine before 4.2.11 and 5.0.x before 5.0.6 allows XSS in the Textile formatter. | 6.1 |
| 2023-11-05 | CVE-2023-47260 | Cross-site Scripting vulnerability in Redmine Redmine before 4.2.11 and 5.0.x before 5.0.6 allows XSS via thumbnails. | 6.1 |
| 2022-12-12 | CVE-2022-44031 | Cross-site Scripting vulnerability in Redmine Redmine before 4.2.9 and 5.0.x before 5.0.4 allows persistent XSS in its Textile formatter due to improper sanitization of the blockquote syntax in Textile-formatted fields. | 6.1 |
| 2022-12-12 | CVE-2022-44637 | Cross-site Scripting vulnerability in Redmine Redmine before 4.2.9 and 5.0.x before 5.0.4 allows persistent XSS in its Textile formatter due to improper sanitization in Redcloth3 Textile-formatted fields. | 6.1 |
| 2021-10-12 | CVE-2021-42326 | Redmine before 4.1.5 and 4.2.x before 4.2.3 may disclose the names of users on activity views due to an insufficient access filter. | 5.3 |
| 2021-04-28 | CVE-2021-31866 | Information Exposure Through Discrepancy vulnerability in multiple products Redmine before 4.0.9 and 4.1.x before 4.1.3 allows an attacker to learn the values of internal authentication keys by observing timing differences in string comparison operations within SysController and MailHandlerController. | 5.3 |
| 2021-04-28 | CVE-2021-31865 | Redmine before 4.0.9, 4.1.x before 4.1.3, and 4.2.x before 4.2.1 allows users to circumvent the allowed filename extensions of uploaded attachments. | 5.3 |
| 2021-04-28 | CVE-2021-31864 | Redmine before 4.0.9, 4.1.x before 4.1.3, and 4.2.x before 4.2.1 allows attackers to bypass the add_issue_notes permission requirement by leveraging the incoming mail handler. | 5.3 |
| 2021-04-06 | CVE-2020-36308 | Injection vulnerability in multiple products Redmine before 4.0.7 and 4.1.x before 4.1.1 allows attackers to discover the subject of a non-visible issue by performing a CSV export and reading time entries. | 5.3 |